In reconnect slave mode, I start direct advertising. After establishing the connection with the central device, we begin ATT exchanges over the L2CAP socket, and then I receive a disconnect with L2CAP traces. This issue is observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, etc. Kernel log with bluetooth debugfs activated.
Created attachment 304468 [details] Kernel and btmon log
Kernel LOG [ 2415.213175] chan 00000000a604c117 [ 2415.213191] chan 00000000a604c117 orig refcnt 1 [ 2415.320464] hcon 00000000f362d481 bdaddr 48:b0:2d:02:81:0a status 0 [ 2415.320494] hcon 00000000f362d481 conn 000000001363748a hchan 0000000081571a4f [ 2415.320505] chan 00000000a604c117 orig refcnt 2 [ 2415.320523] chan 00000000128f5e36 [ 2415.320528] chan 00000000128f5e36 orig refcnt 1 [ 2415.320536] conn 000000001363748a, psm 0x00, dcid 0x0004 [ 2415.320543] chan 00000000128f5e36 orig refcnt 2 [ 2415.320548] chan 000000009ddada5b orig refcnt 1 [ 2415.320553] chan 00000000a604c117 orig refcnt 3 [ 2415.320558] chan 00000000d0b20736 [ 2415.320562] conn 000000001363748a, psm 0x00, dcid 0x0006 [ 2415.320567] chan 00000000d0b20736 orig refcnt 1 [ 2415.320573] chan 000000009ddada5b orig refcnt 2 [ 2415.320578] conn 000000001363748a [ 2415.320628] chan 00000000d0b20736 len 2 [ 2415.320639] chan 00000000d0b20736, skb 0000000099ea3217 len 6 priority 7 [ 2415.320660] hci1 conn 000000001363748a [ 2415.614466] conn 000000001363748a status 0x00 encrypt 2 [ 2415.614480] chan 00000000d0b20736 scid 0x0006 state BT_CONNECTED [ 2415.614495] chan 00000000128f5e36 scid 0x0004 state BT_OPEN [ 2415.710469] hcon 00000000f362d481 reason 19 [ 2415.710495] hcon 00000000f362d481 conn 000000001363748a, err 104 [ 2415.710505] chan 00000000d0b20736 orig refcnt 2 [ 2415.710512] chan 00000000d0b20736, conn 000000001363748a, err 104, state BT_CONNECTED [ 2415.710519] chan 00000000d0b20736 orig refcnt 3 [ 2415.710523] chan 00000000d0b20736 orig refcnt 2 [ 2415.710527] chan 00000000d0b20736 orig refcnt 1 [ 2415.710531] chan 00000000d0b20736 [ 2415.710536] chan 00000000128f5e36 orig refcnt 3 [ 2415.710540] chan 00000000128f5e36, conn 000000001363748a, err 104, state BT_OPEN [ 2415.710548] chan 00000000128f5e36 orig refcnt 4 [ 2415.710558] chan 00000000128f5e36 orig refcnt 3 [ 2415.710562] chan 00000000128f5e36 orig refcnt 2 [ 2415.815007] chan 00000000a604c117 orig refcnt 2 [ 2415.815018] chan 00000000a604c117 state BT_LISTEN [ 2415.815022] chan 00000000128f5e36 orig refcnt 1 [ 2415.815024] chan 00000000128f5e36 [ 2415.815030] chan 00000000128f5e36 orig refcnt 0 [ 2415.815031] ------------[ cut here ]------------ [ 2415.815033] refcount_t: addition on 0; use-after-free. [ 2415.815045] WARNING: CPU: 0 PID: 10662 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x150 [ 2415.815056] Modules linked in: algif_hash algif_skcipher af_alg cmac r8153_ecm cdc_ether usbnet r8152 uas mii usb_storage snd_usb_audio snd_usbmidi_lib mc ccm snd_seq_dummy snd_hrtimer hid_sensor_als hid_sensor_trigger industrialio_triggered_buffer kfifo_buf hid_sensor_iio_common industrialio hid_sensor_custom joydev snd_ctl_led snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi snd_sof_probes btusb btrtl btbcm btintel btmtk bluetooth usbhid ecdh_generic ecc snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_bus iwlmvm snd_soc_core binfmt_misc snd_compress x86_pkg_temp_thermal ac97_bus intel_powerclamp snd_pcm_dmaengine coretemp snd_hda_intel mac80211 snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec [ 2415.815127] kvm_intel snd_hda_core libarc4 snd_hwdep kvm snd_pcm hid_sensor_hub hid_multitouch irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni snd_seq_midi snd_seq_midi_event polyval_generic ghash_clmulni_intel sha512_ssse3 hid_generic snd_rawmidi mei_hdcp mei_pxp iwlwifi snd_seq aesni_intel cmdlinepart crypto_simd spi_nor snd_seq_device cryptd ucsi_acpi pmt_telemetry nls_iso8859_1 mtd pmt_class snd_timer intel_rapl_msr mei_me processor_thermal_device_pci rapl snd i2c_i801 intel_lpss_pci processor_thermal_device spi_intel_pci processor_thermal_rfim xhci_pci intel_lpss wmi_bmof cfg80211 intel_cstate typec_ucsi soundcore i2c_smbus mei spi_intel thunderbolt idma64 intel_vsec processor_thermal_mbox xhci_pci_renesas processor_thermal_rapl intel_skl_int3472_tps68470 typec intel_rapl_common igen6_edac tps68470_regulator i2c_hid_acpi clk_tps68470 i2c_hid ideapad_laptop hid platform_profile int3403_thermal int340x_thermal_zone intel_hid int3400_thermal sparse_keymap intel_skl_int3472_discrete acpi_thermal_rel acpi_tad [ 2415.815198] acpi_pad msr parport_pc ppdev lp parport efi_pstore dmi_sysfs ip_tables x_tables autofs4 i915 i2c_algo_bit drm_buddy drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt cec rc_core ttm nvme drm psmouse serio_raw nvme_core video nvme_common mac_hid wmi pinctrl_tigerlake [ 2415.815230] CPU: 0 PID: 10662 Comm: HCIManager Not tainted 6.3.7-060307-generic #202306090936 [ 2415.815234] Hardware name: LENOVO 82T0/LNVNB161216, BIOS J3CN45WW 08/26/2022 [ 2415.815236] RIP: 0010:refcount_warn_saturate+0x12e/0x150 [ 2415.815241] Code: 1d 47 06 e0 01 80 fb 01 0f 87 06 e6 8a 00 83 e3 01 0f 85 52 ff ff ff 48 c7 c7 00 ab d9 89 c6 05 27 06 e0 01 01 e8 c2 5b 93 ff <0f> 0b e9 38 ff ff ff 48 c7 c7 d8 aa d9 89 c6 05 0e 06 e0 01 01 e8 [ 2415.815244] RSP: 0018:ffffba9ac6dcbcf8 EFLAGS: 00010246 [ 2415.815247] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 2415.815249] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 2415.815250] RBP: ffffba9ac6dcbd00 R08: 0000000000000000 R09: 0000000000000000 [ 2415.815251] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9e6d23f20000 [ 2415.815253] R13: ffff9e6d3a587c00 R14: ffff9e6d3a587000 R15: ffff9e6d23f236f8 [ 2415.815254] FS: 00007fe9ae5fc6c0(0000) GS:ffff9e7083400000(0000) knlGS:0000000000000000 [ 2415.815257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2415.815259] CR2: 0000564028065050 CR3: 0000000126a04000 CR4: 0000000000750ef0 [ 2415.815261] PKRU: 55555554 [ 2415.815262] Call Trace: [ 2415.815264] <TASK> [ 2415.815269] ? show_regs+0x6d/0x80 [ 2415.815275] ? __warn+0x89/0x160 [ 2415.815282] ? refcount_warn_saturate+0x12e/0x150 [ 2415.815285] ? report_bug+0x17e/0x1b0 [ 2415.815290] ? handle_bug+0x46/0x90 [ 2415.815295] ? exc_invalid_op+0x18/0x80 [ 2415.815298] ? asm_exc_invalid_op+0x1b/0x20 [ 2415.815307] ? refcount_warn_saturate+0x12e/0x150 [ 2415.815311] ? refcount_warn_saturate+0x12e/0x150 [ 2415.815315] l2cap_chan_hold+0x7f/0xa0 [bluetooth] [ 2415.815405] l2cap_sock_teardown_cb+0x145/0x1f0 [bluetooth] [ 2415.815478] l2cap_chan_close+0x9d/0x2d0 [bluetooth] [ 2415.815543] l2cap_sock_shutdown+0x251/0x340 [bluetooth] [ 2415.815606] l2cap_sock_release+0x4d/0xf0 [bluetooth] [ 2415.815665] __sock_release+0x3f/0xc0 [ 2415.815669] sock_close+0x15/0x30 [ 2415.815672] __fput+0x95/0x270 [ 2415.815677] ____fput+0xe/0x20 [ 2415.815680] task_work_run+0x5e/0xa0 [ 2415.815684] exit_to_user_mode_loop+0x100/0x130 [ 2415.815688] exit_to_user_mode_prepare+0xa5/0xb0 [ 2415.815691] syscall_exit_to_user_mode+0x29/0x50 [ 2415.815694] do_syscall_64+0x67/0x90 [ 2415.815699] ? syscall_exit_to_user_mode+0x29/0x50 [ 2415.815702] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 2415.815707] RIP: 0033:0x7fe9aff0c0ca [ 2415.815759] Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 b3 ee f7 ff 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 13 ef f7 ff 8b 44 24 [ 2415.815761] RSP: 002b:00007fe9ae5fb9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 2415.815764] RAX: 0000000000000000 RBX: 000055c4c29366f8 RCX: 00007fe9aff0c0ca [ 2415.815766] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 [ 2415.815767] RBP: 00007fe9ae5fb9e0 R08: 00007fe9a40013f0 R09: 00000000ffffffff [ 2415.815769] R10: 00007fe9afe134b8 R11: 0000000000000293 R12: 00007fe9a8000c81 [ 2415.815770] R13: 00007fe9a8000c50 R14: 00007fe9afdfe860 R15: 00007fe9addfc000 [ 2415.815773] </TASK> [ 2415.815775] ---[ end trace 0000000000000000 ]--- [ 2415.815778] chan 00000000128f5e36 state BT_OPEN [ 2415.815780] chan 00000000128f5e36 orig refcnt 3221225472 [ 2415.815782] ------------[ cut here ]------------ [ 2415.815783] refcount_t: underflow; use-after-free. [ 2415.815789] WARNING: CPU: 0 PID: 10662 at lib/refcount.c:28 refcount_warn_saturate+0xa3/0x150 [ 2415.815794] Modules linked in: algif_hash algif_skcipher af_alg cmac r8153_ecm cdc_ether usbnet r8152 uas mii usb_storage snd_usb_audio snd_usbmidi_lib mc ccm snd_seq_dummy snd_hrtimer hid_sensor_als hid_sensor_trigger industrialio_triggered_buffer kfifo_buf hid_sensor_iio_common industrialio hid_sensor_custom joydev snd_ctl_led snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi snd_sof_probes btusb btrtl btbcm btintel btmtk bluetooth usbhid ecdh_generic ecc snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_bus iwlmvm snd_soc_core binfmt_misc snd_compress x86_pkg_temp_thermal ac97_bus intel_powerclamp snd_pcm_dmaengine coretemp snd_hda_intel mac80211 snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec [ 2415.815843] kvm_intel snd_hda_core libarc4 snd_hwdep kvm snd_pcm hid_sensor_hub hid_multitouch irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni snd_seq_midi snd_seq_midi_event polyval_generic ghash_clmulni_intel sha512_ssse3 hid_generic snd_rawmidi mei_hdcp mei_pxp iwlwifi snd_seq aesni_intel cmdlinepart crypto_simd spi_nor snd_seq_device cryptd ucsi_acpi pmt_telemetry nls_iso8859_1 mtd pmt_class snd_timer intel_rapl_msr mei_me processor_thermal_device_pci rapl snd i2c_i801 intel_lpss_pci processor_thermal_device spi_intel_pci processor_thermal_rfim xhci_pci intel_lpss wmi_bmof cfg80211 intel_cstate typec_ucsi soundcore i2c_smbus mei spi_intel thunderbolt idma64 intel_vsec processor_thermal_mbox xhci_pci_renesas processor_thermal_rapl intel_skl_int3472_tps68470 typec intel_rapl_common igen6_edac tps68470_regulator i2c_hid_acpi clk_tps68470 i2c_hid ideapad_laptop hid platform_profile int3403_thermal int340x_thermal_zone intel_hid int3400_thermal sparse_keymap intel_skl_int3472_discrete acpi_thermal_rel acpi_tad [ 2415.815894] acpi_pad msr parport_pc ppdev lp parport efi_pstore dmi_sysfs ip_tables x_tables autofs4 i915 i2c_algo_bit drm_buddy drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt cec rc_core ttm nvme drm psmouse serio_raw nvme_core video nvme_common mac_hid wmi pinctrl_tigerlake [ 2415.815916] CPU: 0 PID: 10662 Comm: HCIManager Tainted: G W 6.3.7-060307-generic #202306090936 [ 2415.815919] Hardware name: LENOVO 82T0/LNVNB161216, BIOS J3CN45WW 08/26/2022 [ 2415.815920] RIP: 0010:refcount_warn_saturate+0xa3/0x150 [ 2415.815924] Code: cc cc 0f b6 1d cd 06 e0 01 80 fb 01 0f 87 79 e6 8a 00 83 e3 01 75 dd 48 c7 c7 30 ab d9 89 c6 05 b1 06 e0 01 01 e8 4d 5c 93 ff <0f> 0b eb c6 0f b6 1d a4 06 e0 01 80 fb 01 0f 87 39 e6 8a 00 83 e3 [ 2415.815926] RSP: 0018:ffffba9ac6dcbce0 EFLAGS: 00010246 [ 2415.815928] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 2415.815930] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 2415.815931] RBP: ffffba9ac6dcbce8 R08: 0000000000000000 R09: 0000000000000000 [ 2415.815932] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9e6d23f20000 [ 2415.815934] R13: ffff9e6d3a587c00 R14: ffff9e6d3a587000 R15: ffff9e6d23f236f8 [ 2415.815935] FS: 00007fe9ae5fc6c0(0000) GS:ffff9e7083400000(0000) knlGS:0000000000000000 [ 2415.815937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2415.815939] CR2: 0000564028065050 CR3: 0000000126a04000 CR4: 0000000000750ef0 [ 2415.815941] PKRU: 55555554 [ 2415.815942] Call Trace: [ 2415.815943] <TASK> [ 2415.815944] ? show_regs+0x6d/0x80 [ 2415.815948] ? __warn+0x89/0x160 [ 2415.815953] ? refcount_warn_saturate+0xa3/0x150 [ 2415.815956] ? report_bug+0x17e/0x1b0 [ 2415.815959] ? handle_bug+0x46/0x90 [ 2415.815962] ? exc_invalid_op+0x18/0x80 [ 2415.815965] ? asm_exc_invalid_op+0x1b/0x20 [ 2415.815971] ? refcount_warn_saturate+0xa3/0x150 [ 2415.815975] l2cap_chan_put+0x78/0x90 [bluetooth] [ 2415.816041] l2cap_sock_kill+0x42/0xc0 [bluetooth] [ 2415.816105] l2cap_sock_teardown_cb+0x10a/0x1f0 [bluetooth] [ 2415.816167] l2cap_chan_close+0x9d/0x2d0 [bluetooth] [ 2415.816231] l2cap_sock_shutdown+0x251/0x340 [bluetooth] [ 2415.816292] l2cap_sock_release+0x4d/0xf0 [bluetooth] [ 2415.816351] __sock_release+0x3f/0xc0 [ 2415.816354] sock_close+0x15/0x30 [ 2415.816357] __fput+0x95/0x270 [ 2415.816361] ____fput+0xe/0x20 [ 2415.816364] task_work_run+0x5e/0xa0 [ 2415.816367] exit_to_user_mode_loop+0x100/0x130 [ 2415.816370] exit_to_user_mode_prepare+0xa5/0xb0 [ 2415.816372] syscall_exit_to_user_mode+0x29/0x50 [ 2415.816375] do_syscall_64+0x67/0x90 [ 2415.816380] ? syscall_exit_to_user_mode+0x29/0x50 [ 2415.816382] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 2415.816387] RIP: 0033:0x7fe9aff0c0ca [ 2415.816394] Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 b3 ee f7 ff 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 13 ef f7 ff 8b 44 24 [ 2415.816396] RSP: 002b:00007fe9ae5fb9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 2415.816399] RAX: 0000000000000000 RBX: 000055c4c29366f8 RCX: 00007fe9aff0c0ca [ 2415.816401] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 [ 2415.816402] RBP: 00007fe9ae5fb9e0 R08: 00007fe9a40013f0 R09: 00000000ffffffff [ 2415.816403] R10: 00007fe9afe134b8 R11: 0000000000000293 R12: 00007fe9a8000c81 [ 2415.816405] R13: 00007fe9a8000c50 R14: 00007fe9afdfe860 R15: 00007fe9addfc000 [ 2415.816408] </TASK> [ 2415.816409] ---[ end trace 0000000000000000 ]--- [ 2415.816411] chan 00000000128f5e36 orig refcnt 3221225472 [ 2415.816413] chan 00000000a604c117 orig refcnt 3 [ 2415.816415] chan 00000000a604c117 orig refcnt 2 [ 2415.816416] chan 00000000a604c117 orig refcnt 3 [ 2415.816418] chan 00000000a604c117 orig refcnt 2 [ 2415.816420] chan 00000000a604c117 orig refcnt 1 [ 2415.816422] chan 00000000a604c117
btmon trace : @ MGMT Command: Load Long Te.. (0x0013) plen 38 {0x0001} [hci1] 835.836638 Keys: 1 LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Key type: Unauthenticated legacy key (0x00) Central: 0x00 Encryption size: 16 Diversifier: 5565 Randomizer: 08014962c65a5aef Key: ea06c5bdb5409c43d3935b7e5b79877a @ MGMT Event: Command Complete (0x0001) plen 3 {0x0001} [hci1] 835.836651 Load Long Term Keys (0x0013) plen 0 Status: Success (0x00) @ MGMT Command: Load Identit.. (0x0030) plen 25 {0x0001} [hci1] 835.837036 Keys: 1 LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Key: d74d35e5fd6e95d6804b8391487d76d8 @ MGMT Event: Command Complete (0x0001) plen 3 {0x0001} [hci1] 835.837046 Load Identity Resolving Keys (0x0030) plen 0 Status: Success (0x00) < HCI Command: LE Clear Res.. (0x08|0x0029) plen 0 #1018 [hci1] 835.837519 > HCI Event: Command Complete (0x0e) plen 4 #1019 [hci1] 836.030177 LE Clear Resolving List (0x08|0x0029) ncmd 1 Status: Success (0x00) < HCI Command: LE Add Devi.. (0x08|0x0027) plen 39 #1020 [hci1] 836.031432 Address type: Public (0x00) Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Peer identity resolving key: d74d35e5fd6e95d6804b8391487d76d8 Local identity resolving key: 00000000000000000000000000000000 > HCI Event: Command Complete (0x0e) plen 4 #1021 [hci1] 836.033137 LE Add Device To Resolving List (0x08|0x0027) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Addre.. (0x08|0x002d) plen 1 #1022 [hci1] 836.033708 Address resolution: Enabled (0x01) > HCI Event: Command Complete (0x0e) plen 4 #1023 [hci1] 836.035051 LE Set Address Resolution Enable (0x08|0x002d) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adve.. (0x08|0x0008) plen 32 #1024 [hci1] 836.035618 Length: 15 Flags: 0x05 LE Limited Discoverable Mode BR/EDR Not Supported Appearance: Remote Control (0x0180) 16-bit Service UUIDs (partial): 3 entries Human Interface Device (0x1812) Battery Service (0x180f) Device Information (0x180a) > HCI Event: Command Complete (0x0e) plen 4 #1025 [hci1] 836.037143 LE Set Advertising Data (0x08|0x0008) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Scan.. (0x08|0x0009) plen 32 #1026 [hci1] 836.037778 Length: 22 Name (complete): NVIDIA SHIELD Remote > HCI Event: Command Complete (0x0e) plen 4 #1027 [hci1] 836.039032 LE Set Scan Response Data (0x08|0x0009) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 #1028 [hci1] 836.039649 Min advertising interval: 20.000 msec (0x0020) Max advertising interval: 20.000 msec (0x0020) Type: Connectable undirected - ADV_IND (0x00) Own address type: Public (0x02) Direct address type: Public (0x00) Direct address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Channel map: 37, 38, 39 (0x07) Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00) > HCI Event: Command Complete (0x0e) plen 4 #1029 [hci1] 836.041059 LE Set Advertising Parameters (0x08|0x0006) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 #1030 [hci1] 836.041617 Advertising: Enabled (0x01) > HCI Event: Command Complete (0x0e) plen 4 #1031 [hci1] 836.044146 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) > HCI Event: LE Meta Event (0x3e) plen 31 #1032 [hci1] 836.776845 LE Enhanced Connection Complete (0x0a) Status: Success (0x00) Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) Role: Peripheral (0x01) Peer address type: Resolved Public (0x02) Peer address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Local resolvable private address: 00:00:00:00:00:00 (Non-Resolvable) Peer resolvable private address: 53:6E:75:EF:0A:34 (Resolvable) Identity type: Public (0x00) Identity: 48:B0:2D:02:81:0A (NVIDIA Corporation) Connection interval: 48.75 msec (0x0027) Connection latency: 0 (0x0000) Supervision timeout: 10000 msec (0x03e8) Central clock accuracy: 0x01 @ MGMT Event: Device Connected (0x000b) plen 13 {0x0001} [hci1] 836.776999 LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Flags: 0x00000000 Data length: 0 < HCI Command: LE Read Remo.. (0x08|0x0016) plen 2 #1033 [hci1] 836.777167 Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) @ RAW Open: btmon (privileged) version 2.22 {0x0004} 836.777817 @ RAW Close: btmon {0x0004} 836.777829 > HCI Event: LE Meta Event (0x3e) plen 4 #1034 [hci1] 836.777798 LE Channel Selection Algorithm (0x14) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Algorithm: #1 (0x00) @ MGMT Command: Pair Device (0x0019) plen 8 {0x0001} [hci1] 836.777975 LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Capability: NoInputNoOutput (0x03) @ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci1] 836.777985 Pair Device (0x0019) plen 7 Status: Already Paired (0x13) LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) > HCI Event: Command Status (0x0f) plen 4 #1035 [hci1] 836.778817 LE Read Remote Used Features (0x08|0x0016) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 #1036 [hci1] 836.779076 Advertising: Disabled (0x00) > HCI Event: Command Complete (0x0e) plen 4 #1037 [hci1] 836.780813 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) > HCI Event: LE Meta Event (0x3e) plen 12 #1038 [hci1] 836.885795 LE Read Remote Used Features (0x04) Status: Success (0x00) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Features: 0xff 0x00 0x00 0x00 0x00 0x00 0x00 0x00 LE Encryption Connection Parameter Request Procedure Extended Reject Indication Peripheral-initiated Features Exchange LE Ping LE Data Packet Length Extension LL Privacy Extended Scanner Filter Policies < ACL Data TX: Handle 0 flags 0x00 dlen 6 #1039 [hci1] 836.886185 SMP: Security Request (0x0b) len 1 Authentication requirement: Bonding, No MITM, Legacy, No Keypresses (0x01) > HCI Event: Number of Completed P.. (0x13) plen 5 #1040 [hci1] 836.982862 Num handles: 1 Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Count: 1 > HCI Event: LE Meta Event (0x3e) plen 13 #1041 [hci1] 837.031821 LE Long Term Key Request (0x05) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Random number: 0xef5a5ac662490108 Encrypted diversifier: 0x6555 < HCI Command: LE Long Ter.. (0x08|0x001a) plen 18 #1042 [hci1] 837.031865 Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Long term key: ea06c5bdb5409c43d3935b7e5b79877a > HCI Event: Command Complete (0x0e) plen 6 #1043 [hci1] 837.033755 LE Long Term Key Request Reply (0x08|0x001a) ncmd 1 Status: Success (0x00) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) > HCI Event: Encryption Change (0x08) plen 4 #1044 [hci1] 837.177841 Status: Success (0x00) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Encryption: Enabled with AES-CCM (0x01) < HCI Command: Write Authen.. (0x03|0x007c) plen 4 #1045 [hci1] 837.177998 Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Timeout: 30000 msec (0x0bb8) > HCI Event: Command Complete (0x0e) plen 6 #1046 [hci1] 837.179778 Write Authenticated Payload Timeout (0x03|0x007c) ncmd 1 Status: Success (0x00) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) > HCI Event: Disconnect Complete (0x05) plen 4 #1047 [hci1] 837.275758 Status: Success (0x00) Handle: 0 Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Reason: Remote User Terminated Connection (0x13) @ MGMT Event: Device Disconne.. (0x000c) plen 8 {0x0001} [hci1] 837.275853 LE Address: 48:B0:2D:02:81:0A (NVIDIA Corporation) Reason: Connection terminated by remote host (0x03)
(In reply to Mohamed Yassine JEBABLI from comment #0) > In reconnect slave mode, I start direct advertising. After establishing the > connection with the central device, we begin ATT exchanges over the L2CAP > socket, and then I receive a disconnect with L2CAP traces. This issue is > observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, etc. > Do you have this issue on v5.15?
(In reply to Bagas Sanjaya from comment #4) > (In reply to Mohamed Yassine JEBABLI from comment #0) > > In reconnect slave mode, I start direct advertising. After establishing the > > connection with the central device, we begin ATT exchanges over the L2CAP > > socket, and then I receive a disconnect with L2CAP traces. This issue is > > observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, > etc. > > > > Do you have this issue on v5.15? Not tested on v5.15. I started with 5.17 version.
On 6/27/23 20:23, bugzilla-daemon@kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=217581 > > --- Comment #5 from Mohamed Yassine JEBABLI > (mohamed-yassine.jebabli@witbe.net) --- > (In reply to Bagas Sanjaya from comment #4) >> (In reply to Mohamed Yassine JEBABLI from comment #0) >>> In reconnect slave mode, I start direct advertising. After establishing the >>> connection with the central device, we begin ATT exchanges over the L2CAP >>> socket, and then I receive a disconnect with L2CAP traces. This issue is >>> observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, >> etc. >>> >> >> Do you have this issue on v5.15? > > Not tested on v5.15. I started with 5.17 version. > Again: Do you have this issue on v5.15?
(In reply to Bagas Sanjaya from comment #6) > On 6/27/23 20:23, bugzilla-daemon@kernel.org wrote: > > https://bugzilla.kernel.org/show_bug.cgi?id=217581 > > > > --- Comment #5 from Mohamed Yassine JEBABLI > > (mohamed-yassine.jebabli@witbe.net) --- > > (In reply to Bagas Sanjaya from comment #4) > >> (In reply to Mohamed Yassine JEBABLI from comment #0) > >>> In reconnect slave mode, I start direct advertising. After establishing > the > >>> connection with the central device, we begin ATT exchanges over the L2CAP > >>> socket, and then I receive a disconnect with L2CAP traces. This issue is > >>> observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, > >> etc. > >>> > >> > >> Do you have this issue on v5.15? > > > > Not tested on v5.15. I started with 5.17 version. > > > > Again: Do you have this issue on v5.15? Yes with v5.15 I have this crash : [ 1773.685161] ------------[ cut here ]------------ [ 1773.688454] WARNING: CPU: 1 PID: 728 at lib/refcount.c:25 l2cap_sock_teardown_cb+0x13c/0x23c [ 1773.696823] refcount_t: addition on 0; use-after-free. [ 1773.696833] Modules linked in: algif_hash algif_skcipher af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O) stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec [ 1773.696957] CPU: 1 PID: 728 Comm: HCIManager Tainted: G O 5.15.67 #2 [ 1773.696978] Hardware name: STM32 (Device Tree Support) [ 1773.697000] [<c0110c54>] (unwind_backtrace) from [<c010c61c>] (show_stack+0x10/0x14) [ 1773.697039] [<c010c61c>] (show_stack) from [<c0ca2f50>] (dump_stack_lvl+0x40/0x4c) [ 1773.697076] [<c0ca2f50>] (dump_stack_lvl) from [<c0120fc0>] (__warn+0xec/0x104) [ 1773.697111] [<c0120fc0>] (__warn) from [<c0c9e214>] (warn_slowpath_fmt+0x98/0xc4) [ 1773.697144] [<c0c9e214>] (warn_slowpath_fmt) from [<c0b67748>] (l2cap_sock_teardown_cb+0x13c/0x23c) [ 1773.697180] [<c0b67748>] (l2cap_sock_teardown_cb) from [<c0b5f584>] (l2cap_chan_close+0x138/0x2f4) [ 1773.697214] [<c0b5f584>] (l2cap_chan_close) from [<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac) [ 1773.697246] [<c0b67a60>] (l2cap_sock_shutdown) from [<c0b67e44>] (l2cap_sock_release+0x50/0xe8) [ 1773.697279] [<c0b67e44>] (l2cap_sock_release) from [<c09b7f10>] (__sock_release+0x40/0xb8) [ 1773.697315] [<c09b7f10>] (__sock_release) from [<c09b7f98>] (sock_close+0x10/0x18) [ 1773.697345] [<c09b7f98>] (sock_close) from [<c02a6e84>] (__fput+0x74/0x240) [ 1773.697376] [<c02a6e84>] (__fput) from [<c0141ac0>] (task_work_run+0x90/0xbc) [ 1773.697405] [<c0141ac0>] (task_work_run) from [<c010c048>] (do_work_pending+0x498/0x594) [ 1773.697432] [<c010c048>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) [ 1773.697459] Exception stack(0xc2d0ffb0 to 0xc2d0fff8) [ 1773.697478] ffa0: 00000000 00000002 00000000 00000000 [ 1773.697498] ffc0: 00000006 b4dfd8c0 00000005 00000006 b4dfd400 b4dfd470 00000000 b4dfcb7c [ 1773.697515] ffe0: 00000006 b4dfcb58 b6b9fbf9 b6ba1b26 80030030 00000006 [ 1773.697529] ---[ end trace 414d690f067a95d5 ]--- [ 1773.701561] ------------[ cut here ]------------ [ 1773.706049] WARNING: CPU: 1 PID: 728 at lib/refcount.c:28 l2cap_sock_kill.part.0+0x28/0xc0 [ 1773.714484] refcount_t: underflow; use-after-free. [ 1773.714500] Modules linked in: algif_hash algif_skcipher af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O) stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec [ 1773.714624] CPU: 1 PID: 728 Comm: HCIManager Tainted: G W O 5.15.67 #2 [ 1773.714648] Hardware name: STM32 (Device Tree Support) [ 1773.714668] [<c0110c54>] (unwind_backtrace) from [<c010c61c>] (show_stack+0x10/0x14) [ 1773.714711] [<c010c61c>] (show_stack) from [<c0ca2f50>] (dump_stack_lvl+0x40/0x4c) [ 1773.714748] [<c0ca2f50>] (dump_stack_lvl) from [<c0120fc0>] (__warn+0xec/0x104) [ 1773.714782] [<c0120fc0>] (__warn) from [<c0c9e214>] (warn_slowpath_fmt+0x98/0xc4) [ 1773.714815] [<c0c9e214>] (warn_slowpath_fmt) from [<c0b6754c>] (l2cap_sock_kill.part.0+0x28/0xc0) [ 1773.714850] [<c0b6754c>] (l2cap_sock_kill.part.0) from [<c0b67708>] (l2cap_sock_teardown_cb+0xfc/0x23c) [ 1773.714885] [<c0b67708>] (l2cap_sock_teardown_cb) from [<c0b5f584>] (l2cap_chan_close+0x138/0x2f4) [ 1773.714917] [<c0b5f584>] (l2cap_chan_close) from [<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac) [ 1773.714949] [<c0b67a60>] (l2cap_sock_shutdown) from [<c0b67e44>] (l2cap_sock_release+0x50/0xe8) [ 1773.714983] [<c0b67e44>] (l2cap_sock_release) from [<c09b7f10>] (__sock_release+0x40/0xb8) [ 1773.715017] [<c09b7f10>] (__sock_release) from [<c09b7f98>] (sock_close+0x10/0x18) [ 1773.715046] [<c09b7f98>] (sock_close) from [<c02a6e84>] (__fput+0x74/0x240) [ 1773.715075] [<c02a6e84>] (__fput) from [<c0141ac0>] (task_work_run+0x90/0xbc) [ 1773.715104] [<c0141ac0>] (task_work_run) from [<c010c048>] (do_work_pending+0x498/0x594) [ 1773.715131] [<c010c048>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) [ 1773.715157] Exception stack(0xc2d0ffb0 to 0xc2d0fff8) [ 1773.715177] ffa0: 00000000 00000002 00000000 00000000 [ 1773.715197] ffc0: 00000006 b4dfd8c0 00000005 00000006 b4dfd400 b4dfd470 00000000 b4dfcb7c [ 1773.715214] ffe0: 00000006 b4dfcb58 b6b9fbf9 b6ba1b26 80030030 00000006 [ 1773.715227] ---[ end trace 414d690f067a95d6 ]---
(In reply to Bagas Sanjaya from comment #6) > On 6/27/23 20:23, bugzilla-daemon@kernel.org wrote: > > https://bugzilla.kernel.org/show_bug.cgi?id=217581 > > > > --- Comment #5 from Mohamed Yassine JEBABLI > > (mohamed-yassine.jebabli@witbe.net) --- > > (In reply to Bagas Sanjaya from comment #4) > >> (In reply to Mohamed Yassine JEBABLI from comment #0) > >>> In reconnect slave mode, I start direct advertising. After establishing > the > >>> connection with the central device, we begin ATT exchanges over the L2CAP > >>> socket, and then I receive a disconnect with L2CAP traces. This issue is > >>> observed across different kernel versions such as 5.17, 6.2, 6.3, 6.3.7, > >> etc. > >>> > >> > >> Do you have this issue on v5.15? > > > > Not tested on v5.15. I started with 5.17 version. > > > > Again: Do you have this issue on v5.15? Tested on kernel v5.15 with l2cap_core traces enabled. ==> The same scenario from reconnecr to disconnect and I think the same bug related to rfcount which goes to NULL in the other versions > v5.15. Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 1 Jun 28 14:41:36 buildroot kernel: hcon 5a56584a bdaddr 48:b0:2d:02:81:0a status 0 Jun 28 14:41:36 buildroot kernel: hcon 5a56584a conn d7202d29 hchan 981967be Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 2 Jun 28 14:41:36 buildroot kernel: chan e8221202 Jun 28 14:41:36 buildroot kernel: chan e8221202 orig refcnt 1 Jun 28 14:41:36 buildroot kernel: conn d7202d29, psm 0x00, dcid 0x0004 Jun 28 14:41:36 buildroot kernel: chan e8221202 orig refcnt 2 Jun 28 14:41:36 buildroot kernel: chan e5e549e1 orig refcnt 1 Jun 28 14:41:36 buildroot kernel: chan 7942e3b3 orig refcnt 3 Jun 28 14:41:36 buildroot kernel: chan 05ee00c1 Jun 28 14:41:36 buildroot kernel: conn d7202d29, psm 0x00, dcid 0x0006 Jun 28 14:41:36 buildroot kernel: chan 05ee00c1 orig refcnt 1 Jun 28 14:41:36 buildroot kernel: chan e5e549e1 orig refcnt 2 Jun 28 14:41:36 buildroot kernel: conn d7202d29 Jun 28 14:41:36 buildroot kernel: chan 05ee00c1 len 2 Jun 28 14:41:36 buildroot kernel: chan 05ee00c1, skb 62f90460 len 6 priority 7 Jun 28 14:41:36 buildroot kernel: hci1 conn d7202d29 Jun 28 14:41:36 buildroot kernel: Jun 28 14:41:37 buildroot kernel: hcon 5a56584a reason 19 Jun 28 14:41:37 buildroot kernel: hcon 5a56584a conn d7202d29, err 104 Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 05ee00c1, conn d7202d29, err 104, state BT_CONNECTED Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 3 Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 orig refcnt 1 Jun 28 14:41:37 buildroot kernel: chan 05ee00c1 Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3 Jun 28 14:41:37 buildroot kernel: chan e8221202, conn d7202d29, err 104, state BT_OPEN Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 4 Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3 Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 state BT_LISTEN Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 1 Jun 28 14:41:37 buildroot kernel: chan e8221202 Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 0 Jun 28 14:41:37 buildroot kernel: ------------[ cut here ]------------ Jun 28 14:41:37 buildroot kernel: WARNING: CPU: 1 PID: 476 at lib/refcount.c:25 l2cap_sock_teardown_cb+0x13c/0x23c Jun 28 14:41:37 buildroot kernel: refcount_t: addition on 0; use-after-free. Jun 28 14:41:37 buildroot kernel: Modules linked in: algif_hash algif_skcipher af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O) stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec Jun 28 14:41:37 buildroot kernel: CPU: 1 PID: 476 Comm: HCIManager Tainted: G O 5.15.67 #2 Jun 28 14:41:37 buildroot kernel: Hardware name: STM32 (Device Tree Support) Jun 28 14:41:37 buildroot kernel: [<c0110c54>] (unwind_backtrace) from [<c010c61c>] (show_stack+0x10/0x14) Jun 28 14:41:37 buildroot kernel: [<c010c61c>] (show_stack) from [<c0ca2f50>] (dump_stack_lvl+0x40/0x4c) Jun 28 14:41:37 buildroot kernel: [<c0ca2f50>] (dump_stack_lvl) from [<c0120fc0>] (__warn+0xec/0x104) Jun 28 14:41:37 buildroot kernel: [<c0120fc0>] (__warn) from [<c0c9e214>] (warn_slowpath_fmt+0x98/0xc4) Jun 28 14:41:37 buildroot kernel: [<c0c9e214>] (warn_slowpath_fmt) from [<c0b67748>] (l2cap_sock_teardown_cb+0x13c/0x23c) Jun 28 14:41:37 buildroot kernel: [<c0b67748>] (l2cap_sock_teardown_cb) from [<c0b5f584>] (l2cap_chan_close+0x138/0x2f4) Jun 28 14:41:37 buildroot kernel: [<c0b5f584>] (l2cap_chan_close) from [<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac) Jun 28 14:41:37 buildroot kernel: [<c0b67a60>] (l2cap_sock_shutdown) from [<c0b67e44>] (l2cap_sock_release+0x50/0xe8) Jun 28 14:41:37 buildroot kernel: [<c0b67e44>] (l2cap_sock_release) from [<c09b7f10>] (__sock_release+0x40/0xb8) Jun 28 14:41:37 buildroot kernel: [<c09b7f10>] (__sock_release) from [<c09b7f98>] (sock_close+0x10/0x18) Jun 28 14:41:37 buildroot kernel: [<c09b7f98>] (sock_close) from [<c02a6e84>] (__fput+0x74/0x240) Jun 28 14:41:37 buildroot kernel: [<c02a6e84>] (__fput) from [<c0141ac0>] (task_work_run+0x90/0xbc) Jun 28 14:41:37 buildroot kernel: [<c0141ac0>] (task_work_run) from [<c010c048>] (do_work_pending+0x498/0x594) Jun 28 14:41:37 buildroot kernel: [<c010c048>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) Jun 28 14:41:37 buildroot kernel: Exception stack(0xc3fe1fb0 to 0xc3fe1ff8) Jun 28 14:41:37 buildroot kernel: 1fa0: 00000000 00000002 00000000 00000000 Jun 28 14:41:37 buildroot kernel: 1fc0: 00000006 b4dfd8c0 00000005 00000006 b4dfd400 b4dfd470 00000000 b4dfcb7c Jun 28 14:41:37 buildroot kernel: 1fe0: 00000006 b4dfcb58 b6b96bf9 b6b98b26 80030030 00000006 Jun 28 14:41:37 buildroot kernel: ---[ end trace b1ffe2b440acbd97 ]--- Jun 28 14:41:37 buildroot kernel: chan e8221202 state BT_OPEN Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3221225472 Jun 28 14:41:37 buildroot kernel: ------------[ cut here ]------------ Jun 28 14:41:37 buildroot kernel: WARNING: CPU: 1 PID: 476 at lib/refcount.c:28 l2cap_sock_kill.part.0+0x28/0xc0 Jun 28 14:41:37 buildroot kernel: refcount_t: underflow; use-after-free. Jun 28 14:41:37 buildroot kernel: Modules linked in: algif_hash algif_skcipher af_alg stm32_adc stm32_timer_trigger stm32_lptimer_trigger galcore(O) stm32_crc32 stm32_cryp stm32_hash libdes crypto_engine stm32_adc_core stm32_cec Jun 28 14:41:37 buildroot kernel: CPU: 1 PID: 476 Comm: HCIManager Tainted: G W O 5.15.67 #2 Jun 28 14:41:37 buildroot kernel: Hardware name: STM32 (Device Tree Support) Jun 28 14:41:37 buildroot kernel: [<c0110c54>] (unwind_backtrace) from [<c010c61c>] (show_stack+0x10/0x14) Jun 28 14:41:37 buildroot kernel: [<c010c61c>] (show_stack) from [<c0ca2f50>] (dump_stack_lvl+0x40/0x4c) Jun 28 14:41:37 buildroot kernel: [<c0ca2f50>] (dump_stack_lvl) from [<c0120fc0>] (__warn+0xec/0x104) Jun 28 14:41:37 buildroot kernel: [<c0120fc0>] (__warn) from [<c0c9e214>] (warn_slowpath_fmt+0x98/0xc4) Jun 28 14:41:37 buildroot kernel: [<c0c9e214>] (warn_slowpath_fmt) from [<c0b6754c>] (l2cap_sock_kill.part.0+0x28/0xc0) Jun 28 14:41:37 buildroot kernel: [<c0b6754c>] (l2cap_sock_kill.part.0) from [<c0b67708>] (l2cap_sock_teardown_cb+0xfc/0x23c) Jun 28 14:41:37 buildroot kernel: [<c0b67708>] (l2cap_sock_teardown_cb) from [<c0b5f584>] (l2cap_chan_close+0x138/0x2f4) Jun 28 14:41:37 buildroot kernel: [<c0b5f584>] (l2cap_chan_close) from [<c0b67a60>] (l2cap_sock_shutdown+0x218/0x5ac) Jun 28 14:41:37 buildroot kernel: [<c0b67a60>] (l2cap_sock_shutdown) from [<c0b67e44>] (l2cap_sock_release+0x50/0xe8) Jun 28 14:41:37 buildroot kernel: [<c0b67e44>] (l2cap_sock_release) from [<c09b7f10>] (__sock_release+0x40/0xb8) Jun 28 14:41:37 buildroot kernel: [<c09b7f10>] (__sock_release) from [<c09b7f98>] (sock_close+0x10/0x18) Jun 28 14:41:37 buildroot kernel: [<c09b7f98>] (sock_close) from [<c02a6e84>] (__fput+0x74/0x240) Jun 28 14:41:37 buildroot kernel: [<c02a6e84>] (__fput) from [<c0141ac0>] (task_work_run+0x90/0xbc) Jun 28 14:41:37 buildroot kernel: [<c0141ac0>] (task_work_run) from [<c010c048>] (do_work_pending+0x498/0x594) Jun 28 14:41:37 buildroot kernel: [<c010c048>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) Jun 28 14:41:37 buildroot kernel: Exception stack(0xc3fe1fb0 to 0xc3fe1ff8) Jun 28 14:41:37 buildroot kernel: 1fa0: 00000000 00000002 00000000 00000000 Jun 28 14:41:37 buildroot kernel: 1fc0: 00000006 b4dfd8c0 00000005 00000006 b4dfd400 b4dfd470 00000000 b4dfcb7c Jun 28 14:41:37 buildroot kernel: 1fe0: 00000006 b4dfcb58 b6b96bf9 b6b98b26 80030030 00000006 Jun 28 14:41:37 buildroot kernel: ---[ end trace b1ffe2b440acbd98 ]--- Jun 28 14:41:37 buildroot kernel: chan e8221202 orig refcnt 3221225472 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 3 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 3 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 2 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3 orig refcnt 1 Jun 28 14:41:37 buildroot kernel: chan 7942e3b3
With the same application in user space and the same scenario, I have the same crash behavior that occurs right after establishing the connection with the master, but the causes are different: "underflow; use-after-free" and "addition on 0; use-after-free"